Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork144
devel: rest api token auth#469
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:master
Are you sure you want to change the base?
Conversation
Implement a simple token authentication header for various "restish"endpoints we might want for adoption/disowning of packages.
raffomania commentedDec 10, 2024
Hey, just a reminder, if you don't find the time to continue this, I'd like to help out :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Awesome to see progress on this, this will be a very useful feature. Thank you for working on this.
| classAuthTokenBackend(object): | ||
| defauthenticate(self,request,username=None,password=None): | ||
| if'X-Archweb-Token'inrequest.headers: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Wouldn't it make sense to useAuthorization: Bearer as header, this is a quite widely used way for such API and would also allow a lot of HTTP clients to use implemented helper methods for authenticate a request with a token. Otherwise you'd need to pass around custom header strings likeX-Archweb-Token.
What are your thoughts about this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Sounds fine to me, it shouldn't conflict with things I suppose.
| <formid="api-profile-form"enctype="multipart/form-data"method="post"action="">{% csrf_token %} | ||
| <h3>API token</h3> | ||
| <p>Token for completing todolist items with for example, rebuild-todo</p> | ||
| {% if profile.api_token is None %} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
I assume it would be a good pattern to be able to revoke a token, or to phrase it differently: Generate a new token and invalidate the existing one.
I'd probably propose something like only showing the token once when the generate button is clicked and otherwise show an invalidate/regenerate button instead. We should hide the token after generating it.
Implement a simple token authentication header for various "restish" endpoints we might want for adoption/disowning of packages.